In an effort to thwart removal efforts, the criminals who produce malware such as WORM_SOHANAD.AF have taken to disabling Windows Task Manager and Registry Editor. The technique isn’t new, but its use is on the rise according to SANS NewsBites Vol. 9 No. 53:

BotVoice-A… disables the Windows registry editor which makes cleaning up the mess it leaves all the more difficult.

Editor Skoudis notes:

…disabling regedit and Task Manager are an increasingly common action of malware, in an attempt to blind tech-savvy users to the malware’s activities.

Nevertheless, there are three command-line tools that allow you to manage tasks and manipulate the registry: tasklist, taskkill and reg. To find out more about these tools, open a command window and type <command> /?, e.g., tasklist /?, and hit Enter. You’ll see the complete syntax and all options for the command. Note that tasklist and taskkill are not available to users of Windows XP Home Edition, so it’s a good idea to carry these executables with you on a flash drive (they will run on Home Edition).

Admittedly, the GUI tools are a lot less cumbersome, but with a little practice using the command-line tools, you’ll find they are usually faster at accomplishing a given task.

I’ll give some real-world examples in a future post.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a Microsoft Certified Systems Engineer with Connective Computing, Inc. and loves to learn about anything and everything.

[tags]security, trojan horse, malware, command line, registry[/tags]